What AWS service provides secure storage, automatic rotation, and fine-grained access control for secrets such as database credentials, API keys, and other sensitive information?
AWS Secrets Manager
How frequently can AWS Secrets Manager rotate secrets?
As often as every 4 hours, up to a maximum of 999 days
What access methods are available for managing secrets in AWS Secrets Manager?
- Console
- CLI
- API
- SDK
What AWS service does Secrets Manager use to perform automatic secret rotation?
AWS Lambda
What is the sequence of steps involved when an application retrieves and uses database credentials managed by AWS Secrets Manager?
- The application uses SDK to interact with Secrets Manager
- Secrets Manager uses IAM to authorise the Application
- Once authorized Secrets Manager returns database credentials to the application
- The application uses credentials to connect to the database
- At some point in time, the secret manager will rotate credentials
What AWS service does Secrets Manager use to encrypt secrets at rest?
AWS KMS
KMS permissions are also required
What are the main features of AWS Secrets Manager?
- Secure storage of secrets (passwords, API Keys)
- Automatic rotation
- Application integration
- Direct integration with AWS services like RDS
Which AWS Secrets Manager API is used to re-encrypt a secret with a new KMS key after rotating or modifying the Customer Master Key (CMK)?
UpdateSecret
What happens if the old KMS CMK is deleted before calling UpdateSecret on a secret in AWS Secrets Manager?
The secret becomes undecryptable and its contents are permanently lost
Which parameter must be used with the AWS CLI DeleteSecret command to delete a Secrets Manager secret immediately without a recovery window?
--force-delete-without-recoveryForceDeleteWithoutRecovery
Which AWS services have built-in secret rotation support in AWS Secrets Manager?
- Amazon RDS
- Amazon DocumentDB
- Amazon Redshift
-
IAM39
-
STS9
-
Organizations14
-
CloudTrail16
-
KMS14
-
S3128
-
EBS61
-
EFS14
-
VPC104
-
Hybrid Networking66
-
EC2152
-
Route 5336
-
RDS59
-
AWS Backup8
-
ELB44
-
SSM11
-
ECS12
-
ECR11
-
EKS7
-
ASG43
-
Lambda66
-
EventBridge11
-
SNS11
-
Step Functions15
-
API Gateway25
-
SQS41
-
Kinesis45
-
Cognito17
-
Glue13
-
MQ9
-
AppFlow6
-
ACM13
-
CloudFront75
-
Global Accelerator8
-
Storage Gateway58
-
CloudWatch65
-
CloudFormation110
-
Snow Family8
-
Directory Service17
-
DataSync12
-
FSx for Windows File Server13
-
FSx for Lustre15
-
Transfer Family15
-
Code*44
-
Elastic Beanstalk45
-
X-Ray27
-
DynamoDB97
-
ElastiCache19
-
Secrets Manager11
-
Systems Manager12
-
Web Application Firewall30
-
Shield17
-
CloudHSM11
-
Macie14
-
Inspector15
-
GuardDuty8
-
Athena8
-
Redshift12
-
Comprehend3
-
Kendra5
-
Lex4
-
Polly6
-
Rekognition4
-
Textract5
-
Transcribe5
-
Translate6
-
Forecast3
-
Fraund Detector3
-
SageMaker5
-
Local Zones6
